We, Matterhorn Gotthard Bahn (Bahnhofplatz 7, 3900 Brig, Switzerland), a public limited company, operate the websites www.matterhorngotthardbahn.ch and www.gornergratbahn.ch (hereinafter referred to as the "website") and provide the services offered thereon.
Your trust is important to us. Accordingly, we take the issue of data protection seriously and observe the appropriate safety measures. Consequently, we consider it a matter of course to comply with the legal requirements of the Swiss Federal Act on Data Protection (FADP), the Ordinance to the Federal Act on Data Protection (FADP), the Telecommunications Act (TCA) and other provisions of Swiss data protection law. Furthermore, we also consider it a matter of course to comply with the applicable provisions of the EU General Data Protection Regulation (EU GDPR).
To help you understand which personal data we collect from you and for which purposes we use this data, please refer to the information below.
1. Customer promise by public transport companies
Public transport companies handle customer data confidentially. The protection of your personality and your privacy is of utmost importance for us public transport companies. We guarantee that your personal data will be processed pursuant to the applicable provisions of data protection law.
The public transport companies set an example with the following principles for the trustworthy handling of your data:
You decide yourself about the processing of your personal data.
Within the legal framework, you can refuse data processing at any time or revoke your consent to it or have your data deleted. You always have the option of travelling anonymously, i.e. without having your personal data recorded.
We offer you added value when processing your data.
Public transport companies use your personal data exclusively to offer you added value along the mobility chain (e.g. tailor-made offers and information, support or compensation in the event of disruption). Your data is therefore only used for the development, provision, optimisation and evaluation of our services or for the maintenance of the customer relationship.
Your data will not be sold.
Your data will only be disclosed to selected third parties listed in this data protection declaration and only for the explicitly stated purposes. If we commission third parties with data processing, they are obliged to comply with our data protection standards.
We guarantee the security and protection for your data.
Public transport companies guarantee the careful handling of customer data as well as the security and protection of your data. We ensure the necessary organisational and technical precautions for this.
Below you will find detailed information on how we handle your data.
2. Responsibility for data processing
We, Matterhorn Gotthard Bahn (Bahnhofplatz 7, 3900 Brig, Switzerland), a public limited company, are responsible for the data processing listed in this data protection declaration, unless otherwise stated. As a public transport company, we are required by law to carry out so-called direct transports (DT). For this purpose, certain data is exchanged with the transport companies (TC) and public transport associations as well as with third parties that distribute public transport products, and stored centrally in databases operated jointly by all TU and public transport associations. We are therefore responsible for individual data processing jointly with these TCs and associations. For more information on individual data processing, see section 12.
3. Data processing when visiting www.matterhorngotthardbahn.ch and www.gornergratbahn.ch
During your visit to our website, our servers temporarily save each access in a log file. The following data is collected without your intervention and stored until it is automatically deleted by us:
- the IP address of the requesting computer,
- the date and time of access,
- the name and URL of the accessed file,
- the website from which the access was made, if applicable with the search word used,
- the operating system of your computer and the browser you use (incl. language setting),
- device type in case of access by mobile phones
- the city or region from where the access was made,
- the name of your internet access provider.
The collection and processing of this data is carried out to enable the use of our website (connection establishment), to permanently guarantee system security and stability, for error and performance analysis as well as for internal statistical purposes. Furthermore, it enables us to optimise our internet offer. In this context, the language setting of your browser is used to determine the default language setting of our website. In addition, this enables us to design our website in a target group-specific manner, i.e. to provide you with targeted content or information that may be of interest to you.
In the event of an attack on the network infrastructure of the website or a suspicion of other unauthorised or abusive website use, the IP address and other data will be evaluated for the purpose of clarification and defence and, if necessary, used in the context of criminal proceedings to identify and take civil and criminal action against the users concerned.
Our legitimate interest in data processing within the meaning of Art. 6 para. 1 lit. f EU GDPR lies in the purposes described above.
4. Data processing during registration for a user account
For the voluntary creation of your user account on our website, we collect the following data, with mandatory data marked with an asterisk (*) in the corresponding form:
- first name
- last name
- date of birth
- e-mail address
We require the data to provide an overview of the services you have obtained and a simple way to manage your personal data, to process and administer our website, to check the plausibility of the data entered, i.e. to establish, structure the content of, process and amend the contractual relationships concluded with you via your user account. The e-mail address and the password together form the login data.
The data in the customer account can be viewed and changed by the customer at any time. Finally, a customer can request the complete deletion of the customer account.
The provision of data that is not marked as mandatory is provided on a voluntary basis. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if required with a view to fulfilling the contract or for statistical collection and evaluation in order to optimise our offers.
The legal basis for the processing of your data for the preceding purpose is your consent pursuant to Art. 6 (1) lit. a EU GDPR. You can revoke your consent at any time (see section 15), which would, however, be tantamount to deleting your customer account.
If you link your customer account with a Swiss Pass account, changes to your personal data (e.g. change of address) and the services you have purchased are automatically reconciled and recorded in both accounts.
For data processing in connection with your Swiss Pass account, please also note the information provided in section [insert title or numbering].
5. Data processing when using the website as a registered user
During the use of the website by logged-in registered users, we collect data for statistical reasons and to enable the smooth functioning of the website. In particular, the following data is collected:
- the type, frequency and intensity of use of the website
- the duration of your membership
- the orders placed
- the composition of the shopping basket
6. Data processing during purchase of services
If you would like to order products or book services on our website, such as train tickets, hotel accommodation, car transport tickets, vouchers or events, we require various data to process the contract. We collect – depending on the product or service – the following data, whereby mandatory data is marked with an asterisk (*) in the corresponding form:
- your last name and first name, and, if applicable, those of other benefit recipients
- postal address (street, house number, postcode, city, country)
- e-mail address
- information within the framework of the payment
- date of birth
- phone number
- loading direction, loading time, vehicle type, trailer
- number plate and country
- existing tickets/subscriptions (e.g. Half-Fare Card)
- Swisspass ID
In order to process the contractual relationship, we also collect data regarding the services you have obtained ("service data"). This includes – depending on the product or service – the following information:
- type of product or service purchased
- date and time of purchase
- time of service provision (e.g. date of event, overnight stay or travel or duration of validity)
- place of departure and destination
We will also disclose this information to the relevant third-party service providers (e.g. transport companies (such as SBB; please also refer to the last paragraph of this section), hotels (such as the Grand Hotel Zermatterhof), event organisers (such as the Verein Freilichtspiele Zermatt) or an insurance company (when booking travel cancellation insurance) to the extent necessary for the performance of the contract.
The legal basis for this processing is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b EU GDPR.
The provision of data that is not marked as mandatory is provided as voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if necessary with a view to fulfilling the contract or for statistical collection and evaluation to optimise our offers. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR in providing a personalised offer and optimising it.
If you purchase services after opening a customer account or using your login data for the customer photo, we will store your data in the customer account (please also refer to sections 4 and 5). The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR.
Data generated when purchasing public transport services is stored in a central database (see the section on shared responsibility in public transport) and also processed for other purposes, which include marketing purposes (see sections 11). Furthermore, the data is used in the context of ticket control to identify the holder of a personalised ticket and to prevent misuse. The data is also used to provide our service-après-vent, to identify and assist you in the event of concerns or difficulties, and to process any compensation claims. As well, the data is used to distribute the revenue generated by the purchase of tickets fairly among the companies and affiliates of direct transport. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 Para. 1 lit. f EU GDPR.
7. Data processing when using the contact form
In the event that you contact us using the contact form on the website, we collect the following data from you, whereby mandatory data in the corresponding form is marked with an asterisk (*):
- field which your message pertains to
- first name and last name
- address (street, city, country)
- e-mail address
- phone number
We use this data exclusively to answer the questions you have asked or to provide the services you have requested. The collection of your first and last name as well as your address allows us to provide targeted customer service to existing customers and to efficiently prepare offers for potential new customers. Furthermore, your country of residence allows us to inform you of any country-specific factors. The legal basis for this data processing is the requirement to execute pre-contractual measures within the meaning of Art. 6 para. 1 lit. b EU GDPR.
The provision of data that is not marked as mandatory is provided on a voluntary basis. We process this data, as well as data that is not related to a potential contract, in order to deal with your request in the best possible way pursuant to your personal needs, to facilitate the preparation and execution of future contracts, to contact you regarding the concluding and fulfilling of the contract or to deal with your request via an alternative communication channel if required, or for statistical collection and evaluation in order to optimise our offers.
The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f EU GDPR in handling contact requests.
8. Data processing for purchases in the Pandinavia AG souvenir shop
On our website you will find the section "Souvenirs". After clicking on the corresponding link, you will be taken to another website. This website is operated on our behalf by Pandinavia AG (Industriestrasse 30, CH-8302 Kloten), on their servers. Pandinavia AG is solely responsible for data processing in connection with the souvenir shop, and we have no influence over this. When using the souvenir shop website, the data protection guidelines and GTCs of Pandinavia AG apply accordingly.
9. Data processing when using the online Photopoint station and ordering your personalised video
You can take a photo at the Photopoint of the Gornergrat mountain station, which will then be integrated into the personalised video of your ride on the Gornergratbahn (see below). To take a photo, you need to scan your Skidata ticket or SwissPass at the Photopoint. Only the respective card number will be recorded for further processing. No other information will be processed when the photo is taken. The respective number is linked to your photo. However, the photo does not identify you by name. The photo and the respective card numbers are passed on to the third-party service provider, ALTUROS Destinations GmbH, Lakeside B03, 9020 Klagenfurt, Austria (hereinafter ALTUROS).
You can then order and download a personalised video of your ride on the Gornergratbahn from our website. The photo taken at the Photopoint will also be processed for this purpose.
To do so, we require the following mandatory information from you:
- travel date
- SwissPass number or skidata number
- e-mail address
- first name and last name
- country of origin
We will pass this information on to ALTUROS. The data you provide for the download, as well as the photo created at Photopoint, will be stored on ALTUROS' servers. ALTUROS will use this data and the photo to create your personalised video on our behalf.
The legal basis for the processing of your data for the order of the personalised video is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b EU GDPR.
Cookies help in many ways to make your visit to our website easier, more enjoyable and more meaningful. Cookies are information files that your web browser stores on your computer's hard drive or memory when you visit our website. Cookies are assigned identification numbers that identify your browser and allow the information contained in the cookie to be read. Cookies cannot damage your computer's hard drive.
Most internet browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message always appears when you receive a new cookie. On the following pages you will find explanations of how to configure the processing of cookies in the most common browsers.
Deactivating cookies may mean that you cannot use all the functions of our website.
11. Google SiteSearch / Google Custom Search Engine
This website uses the Google SiteSearch/Google Custom Search Engine of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). This enables us to provide you with an efficient search function on our website.
When using the search field on this website, your browser may transmit the data listed in section 3 (incl. IP address) as well as the search term you entered to Google, provided you have installed Java script in your browser. If you would like to prevent the transmission of data, you can deactivate Java Script in your browser settings (usually in the "Privacy" menu). Please note that the search function may be impaired in this case.
The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR in providing an efficient website search function.
12. Use of your data for marketing purposes
12.1. Central data storage and analysis in our CRM system
We evaluate this data in order to further develop our offers in line with your needs and to provide you with the most relevant information and offers possible (see section 11.2) or to display them accordingly (see section 11.3). We also use methods that predict possible future purchasing behaviour based on your current purchasing behaviour. The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR in carrying out marketing measures.
12.2. Newsletter / E-mail advertising
You will only receive a newsletter or e-mail advertising from us at your express request. Registration on the website is required for this. The following data must be provided as part of the registration:
- e-mail address
- first and last name
By registering you give us your consent to process this data for the purpose of sending you communications regarding our company, our tourism and transport offers and related products and services (such as souvenirs or hotel accommodation) from us, the companies in which BVZ Holding holds an interest and selected partner companies, such as hotels or service providers in municipalities in our route network. This may also include requests to parti-cipate in surveys (market research) or competitions or to evaluate one of the aforementioned services/products or companies.
We will use your data for e-mailing until you revoke your consent. Revocation is possible at any time. You will also find an unsubscribe link in every advertising e-mail.
Our promotional e-mails may contain a so-called web beacon (tracking pixel) or similar technical means. A web beacon is a 1x1 pixel invisible graphic, that is associated with the user ID of the respective newsletter subscriber.
For each advertising e-mail sent, there is information available on the address file used, the subject and the number of advertising e-mails sent. In addition, it is possible to see which addresses have not yet received the e-mail, to which address it was sent and for which addresses the sending failed. In addition, we see which addresses have already opened the e-mail. Finally, we also receive information regarding the addresses that have unsubscribed. We use this data for statistical purposes and to optimise our advertising e-mails in terms of content and structure. This enables us to better tailor the information and offers in our e-mails to the individual interests of the recipients. The tracking pixel is deleted when you delete the e-mail.
To prevent the use of the web beacon in our advertising e-mails, please set your e-mail programme so that HTML is not displayed in messages, if this is not already the case by default. On the following pages you will find explanations on how to change this setting in the most common e-mail programmes.
By registering you give us your consent to process the data provided for the regular sending of promotional e-mails to the address you have provided and for the statistical evaluation of usage behaviour as well as the optimisation of the newsletter. This consent constitutes our legal basis for the processing of the data within the meaning of Art. 6 para. 1 lit. a EU GDPR.
We use e-mail marketing software by Alturos Destinations (Lakeside B03, 9020 Klagenfurt, Austria) to send out promotional e-mails. For this purpose, your data is stored on a Braze da-tabase system (77 Hatton Garden, 4th Floor, Holborn, London EC1N 8JS, United Kingdom), so that your data may be accessed by Alturos and Braze to the extent necessary to provide the software and support for the use of the software. The legal basis for this transfer is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU-DSGVO in having recourse to third-party service providers.
In certain cases, contact may also be made by SBB or another company involved in direct transport under strict conditions. You can refuse to be contacted by SBB (e.g. in connection with your General or Half-Fare Card) or by other public transport companies at any time.
The following options are available for this purpose:
- Every e-mail you receive from public transport companies contains an unsubscribe link that allows you to unsubscribe from further messages with one click.
- Provided you have a SwissPass login, you can log on to www.swisspass.ch and manage your settings for receiving messages in your user account at any time.
- You can also deregister at any counter of a public transport company.
We use so-called re-targeting technologies. This involves analysing your user behaviour on our website in order to be able to offer you individually tailored advertising on partner websites. Your user behaviour is recorded pseudonymously.
This website uses Doubleclick by Google, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), to place ads based on the use of previously visited websites. Google uses the so-called DoubleClick cookie for this purpose, which enables your browser to be recognised when visiting other websites. The information generated by the cookie about your visit to these websites (including your IP address) will be transmitted to and stored by Google on servers in the United States (for information on data transfers to the United States, please refer to section 15).
Google will use this information for the purpose of evaluating your use of the website in relation to the advertisements to be displayed, compiling reports on website activity and advertisements for website operators and providing other services in connection with website activity and internet usage. In addition, DoubleClick can use cookie IDs to record so-called conversions that are related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website with the same browser and makes a purchase there.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. However, Google has stated that it will not associate your IP address with any other data held by Google. Further information on data protection at Google can be found here.
We also use Google Tag Manager to manage usage-based advertising services. The Tag Manager tool itself is a cookie-less domain and does not collect any personal data. Rather, the tool triggers other tags, which in turn may collect data (for more information, see above). In the event that you have deactivated a tag at the domain or cookie level, this remains in place for all tracking tags implemented with the Google Tag Manager.
The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (see section 9).
12.4. Tracking tools
12.4.1. General information
For the purpose of demand-oriented design and continuous optimisation of our pages, we use the web analysis services listed below. In this context, pseudonymised usage profiles are created and cookies are used (please also refer to section 9). The information generated by the cookie about your use of this website is generally transmitted together with the data listed in section 3 to a server of the service provider, where it is stored and processed; this may also involve transmission to servers in the USA. In this case and by means of contractual arrangements with these companies, we guarantee that your data is adequately protected at these companies.
By processing the data, we obtain the following information:
- navigation path followed by a visitor on the site (incl. content viewed and products selected or purchased),
- dwell time on the website or sub-page,
- the sub-page on which the website is left,
- the country, region or city from where access is made,
- end device (type, version, colour depth, resolution, width and height of the browser window) and
- returning or new visitor
The provider will use this information on our behalf to evaluate the use of the website, to compile reports on website activities for us and to provide other services associated with website and internet use for the purposes of market research and demand-oriented design of these webpages. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf.
The legal basis for this data processing with the following tools is your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR. You can revoke your consent at any time by rejecting or deactivating the relevant cookies in the menu bar of your web browser (see section 9) or by making use of the options described below.
12.4.2. Google Analytics
We use the web analysis service Google Analytics by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland or Google LLC, 1600 Amphitheatre Parkway, Moun-tain View, CA 94043, USA ("Google").
In doing so, the described data regarding the use of the website may be transmitted to the servers of Google LLC. in the USA for the processing purposes explained (see section 11.4.1). The IP address is shortened by activating IP anonymisation ("anonymizeIP") on this website before transmission within the member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. In these cases, we ensure through contractual guarantees that Google complies with a sufficient level of data protection. According to Google, in no case will the IP address be associated with other data concerning the user.
Users can prevent the collection of the data generated by the cookie and related to the website use by the respective user (incl. the IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link:
12.4.3. Crazy Egg
We use the web tracking tool Crazy Egg on our website. Crazy Egg is operated by Crazy Egg Inc. (6220 E. Ridgeview Lane, La Mirada, CA, 90638, USA).
In doing so, the data described regarding the use of the website is transferred to a Crazy Egg server in the USA for the processing purposes explained (see section 11.4.1) and stored there. The tool also allows us to recognise which areas of our website are visited and clicked on most often by means of a so-called "heat map" or "scroll map". For this purpose, a usage profile is visually displayed. Accordingly, the web analysis tool records in particular mouse movements, clicks and entries of website users. This creates a log of mouse movements and clicks with the intention of randomly replaying individual website visits and deriving from this potential improvements for the website. We have contractual guarantees to ensure that Crazy Egg maintains a sufficient level of data protection.
You can prevent the collection and transfer of the data generated by the cookie relating to your use of the website (including your IP address) to Crazy Egg and the processing of this data by Crazy Egg by following the instructions at the following link: www.crazyegg.com/opt-out.
12.5. Links, plugins and tools from social media networks
12.5.1. Links to social media networks
You will find links to social media networks on our website. These are not plugins provided by the provider which transmit data to the provider when the page is loaded, without the user having any influence. The buttons to the social media networks merely contain a link to the social media network including the transfer of the website to be shared. No user data is transmitted from the website to the social media network.
The links lead to the following networks:
- Facebook Inc, 1601 S. California Ave, Palo Alto, CA 94304, USA,
- LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (www.matterhorngotthardbahn.ch only)
- Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA
- YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA
When you call up a link to one of our social media profiles, a direct connection is established between your browser and the server of the social network concerned. This provides the network with the information that you have visited our website with your IP address and accessed the link. If you call up a link to a network while you are logged into your account with the network in question, the content of our site may be linked to your profile with the network, which means that the network can assign your visit to our website directly to your user account. To prevent this from happening, you must log out before clicking on the corresponding links. An assignment will take place in any case if you log in to the relevant network after clicking on the link.
12.5.2. Social plugins
You can use the social plugins listed below on our website:
- Facebook; Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA)
- Twitter; Twitter Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107, USA)
Social plugins are used to make our websites more personal.
Your browser establishes a direct connection with the servers of the respective social network as soon as you call up our website. The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by it.
By integrating the plugins, the respective provider receives the information that your browser has accessed the corresponding page of our website, even if you do not have an account with this social network or are not currently logged in to it. This information (including your IP address) is transmitted from your browser directly to a server of the provider (usually in the USA) and stored there. We therefore have no influence on the scope of the data that the provider collects with the plugin.
If you are logged into the social network, it can assign your visit to our website directly to your user account. If you interact with the plugins, the corresponding information is also transmitted directly to the provider’s server and stored there. The information may also be published on the social network and displayed for other users of the social network to see.
The provider of the social network may use this information for the purposes of advertising, market research and designing the respective offer in line with requirements. For this purpose, usage, interest and relationship profiles could be created, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on the social network, to inform other users about your activities on our website and to provide other services associated with the use of the social network.
For the purpose and scope of the data collection and the further processing and use of the data by the providers of the social networks, as well as your rights in this regard and setting options for protecting your privacy, please refer directly to the data protection notices of the respective provider (Facebook: https://www.facebook.com/about/privacy/update; Twitter: https://twitter.com/de/privacy).
If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins.
Your consent within the meaning of Art. 6 (1) lit. a EU GDPR forms the legal basis for the data processing described.
12.5.3. Facebook pixel / Facebook custom audience
On our website, we use the so-called "Facebook pixel" of the Facebook social network, which is operated by Facebook Inc. (1 Hacker Way, Menlo Park, CA 94025, USA) and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).
With the help of the Facebook pixel, Facebook determines the visitors to our website as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display Facebook ads placed by us only to those Facebook users who have also shown an interest in our website or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called "custom audiences").
With the help of the Facebook pixel, we also wish to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing effect. With the help of the Facebook pixel, we can track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").
The Facebook pixel is directly integrated by Facebook when you visit our website and can save a cookie on your device (see section 9). If you subsequently log in to Facebook or visit Facebook while logged in, your visit to our website will be noted in your profile. The data collected about you is anonymous for us, so it does not allow us to draw any conclusions about the user’s identity. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible. The data can therefore be used by Facebook for its own market research and advertising purposes.
If we transmit data to Facebook for matching purposes, this data is encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of matching the data with the data encrypted in the same way by Facebook.
Moreover, when using the Facebook pixel, we use the additional function "extended matching", whereby data for the creation of target groups ("custom audiences" or "look alike audiences") is transmitted to Facebook in encrypted form.
The legal basis for the aforementioned data processing is based on your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR).
You can object to the collection by the Facebook pixel and the use of your data for the display of Facebook ads or revoke your consent. To set which types of advertisements are displayed to you on Facebook, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising.
13. Mutual responsibility in public transport
For this and other purposes described in this privacy statement, information is shared nationally within the National Direct Transport (Nationale Direkte Verkehr NDV), an association of more than 240 transport companies and public transport networks. The individual TCs and associations are listed here. Data from the purchase of services and contacts in connection with public transport services are stored in a central database, which is managed by SBB on behalf of NDV and for which we are jointly responsible with the other companies and associations of NDV ("DT database").
For services that you purchase using the SwissPass login, the data is then stored in another central database ("SwissPass database") for which we are jointly responsible with TCs and NDV associations, with the database in turn being managed by SBB on behalf of NDV. For efficient service provision and cooperation among the parties involved, the data from the various databases is merged where required. In order to enable you to use the so-called Single Sign-On (SSO) (one login for all applications that offer the use of their services with the SwissPass login), the aforementioned login, card, customer and service data are also exchanged between the central SwissPass login infrastructure and ourselves as part of the authentication process.
The scope of access to the shared databases by the individual TCs and associations is regulated and limited by a joint agreement. The disclosure and processing by the other TCs and associations of the NDV that takes place through central storage is in principle limited to contract processing, ticket control, service-après-vente and revenue distribution. In addition, the data collected when purchasing NDV services is also processed for marketing purposes in certain cases. This includes data evaluation in order to further develop and advertise the public transport services in a needs-oriented manner.
If you need to be contacted for this purpose, such contact shall always happen through us. The other TCs and associations involved in the NDV will only contact you in exceptional cases and under strict conditions, and only if the evaluation of the data shows that a certain public transport offer is suitable and may lead to added value for you as a customer. One exception to this are contacts by SBB. SBB holds the marketing mandate for DT services (e.g. General and Half-Fare Card) on behalf of the NDV and can contact you regularly in this function.
The legal basis for the data processing mentioned here is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU GDPR.
14. Disclosure of data to third parties or granting of access to data to third parties
Your data shall not be resold by us. Your personal data will only be passed on to selected service providers and only to the extent necessary for the provision of the service. These include IT support service providers, issuers of subscription cards, dispatch service providers (such as Swiss Post), or service providers commissioned to distribute transport revenue among the transport companies involved (in particular in the course of drawing up so-called distribution keys within the meaning of the Swiss Passenger Transport Act). A service provider to whom the personal data collected via the website is passed on or who has or may have access to it is our web hoster iWay AG (Badenerstrasse 569, 8048 Zurich). The website is hosted on servers in Switzerland. Access to our webshop and the personal data collected is also granted to our webshop processor Peaksolution GmbH (Lakeside B03, 9020 Klagenfurt am Wörthersee, Austria).
Furthermore, your data may be disclosed, in particular to authorities, if we are legally obliged to do so or if this is required to protect our rights, in particular to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is required to carry out due diligence or to complete the transaction.
If you book cross-border travel, this information will also be passed on to the respective foreign providers. However, this shall only be done to the extent necessary to check the validity of the tickets and to prevent misuse.
Our legitimate interest within the meaning of Art. 6 (1) f EU GDPR forms the legal basis for this data transfer.
In addition, we shall transfer your personal data to third party service providers (see section 6) to the extent necessary for the performance of the contract. Furthermore, when you pay by credit card on the website, we forward your credit card information to your credit card issuer and to the credit card acquirer. If you choose to pay by credit card, you will be asked to provide all mandatory information. Regarding the processing of your credit card information by these third parties, we ask you to also read the general terms and conditions as well as the data protection declaration of your credit card issuer. The legal basis for the forwarding is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b EU GDPR.
Your personal data shall not be disclosed to third parties outside the public transport sector (see section 12). The only exceptions are SwissPass partners (to the extent described below) and companies that have been authorised by the public transport companies to broker public transport services on the basis of a contractual agreement. These intermediaries only receive access to your personal data if you wish to obtain a public transport service through them and have given them your consent for access. Even in this case, they only receive access to your data to the extent necessary to determine whether you already have tickets or season tickets for the planned travel period that are relevant to your journey and the service you want from the third party. The legal basis for this data processing is therefore your consent within the meaning of Art. 6 para. 1 lit. a EU GDPR. You can revoke your consent at any time with effect for the future (see section 15).
If you use offers with a SwissPass partner using your SwissPass, data on any benefits you may have purchased from us (e.g. a General, Half-Fare Card or Composite Rail Pass) may be transmitted to the SwissPass partners in order to check whether you can benefit from a specific offer from the SwissPass partner (e.g. discount for General Card holders). In the event of loss, theft, misuse or forgery or card replacement after a benefit has been purchased, the partner concerned will be informed. These data processing operations are required for the performance of the contract concerning use of the SwissPass within the meaning of Art. 6 para. 1 lit. b EU GDPR and are therefore based on this legal basis. Further information can be found in the data protection declaration on swisspass.ch and the data protection declaration of the respective SwissPass partner.
15. Transmission of personal data abroad
Your data is generally stored in databases within Switzerland. However, we are also entitled to transmit your personal data to third companies abroad if this is required in connection with the processing of your enquiries, the provision of services and marketing campaigns (see in particular section 11). In doing so, the legal requirements for the transfer of personal data to third parties will of course be complied with. If the country in question does not have an adequate level of data protection, we guarantee through contractual arrangements with these companies that your data is adequately protected at these companies.
16. Your rights
You can object to data processing at any time, especially data processing in connection with direct advertising (e.g. against advertising e-mails). You also have the following rights:
Right of access: You have the right to request access to your personal data stored by us at any time and free of charge when we process it. This gives you the opportunity to check which personal data we process about you and that we use it pursuant to applicable data protection regulations.
Right to rectification: You have the right to have inaccurate or incomplete personal data corrected and to be informed about the correction. In this event, we will inform the recipients of the data concerned about the adjustments made, unless this is impossible or involves a disproportionate effort.
Right to deletion: You have the right to have your personal data deleted under certain circumstances. In individual cases, especially in the case of statutory retention obligations, the right to deletion may be excluded. In this event, the deletion may be replaced by a blocking of the data if the conditions are met.
Right to restrict processing: You have the right, under certain conditions, to request that the processing of your personal data be restricted.
Right to data transmission: If the legal requirements are met, you have the right under certain circumstances to receive from us, free of charge, the personal data that you have provided to us in a readable format.
Right of revocation: Inprinciple, you have the right to revoke your consent at any time. However, processing activities based on your consent in the past do not become unlawful as a result of your revocation.
To exercise your rights, please send us an e-mail to the following address:
email@example.com or firstname.lastname@example.org
Right to appeal: You have the right to appeal to a competent supervisory authority about the manner in which your personal data is processed.
17. Data security
We use appropriate technical and organisational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorised access by third parties. Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the internet and other electronic means always involves certain security risks and we cannot guarantee the security of information transmitted in this way.
When you register with us as a customer, access to your customer account is only possible after entering your personal login details in each case. You should always keep your payment information confidential and close the browser window when you have finished communicating with us, especially if you share the computer with others.
We also take internal data protection very seriously. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and to comply with the provisions of data protection law. Furthermore, they are only granted access to personal data to the extent necessary.
18. Retention periods
We shall only store personal data for as long as is required to carry out the above-mentioned tracking services and other processing within the scope of our legitimate interest.
We retain contractual data for a longer period of time, as this is required by statutory retention obligations. Retention obligations that oblige us to retain data result from accounting regulations and tax regulations. According to these regulations, business communications, contracts concluded and accounting vouchers must be kept for up to 10 years. As soon as we no longer need this data to perform services for you, the data is blocked. This means that the data may then only be used for accounting and tax purposes.
If you have any questions regarding data protection, please contact our data protection officer.
BVZ Holding AG
Matterhorn Gotthard Bahn AG
Data Protection Officer
How to contact our data protection representative in the EU
MLL EU-GDPR GmbH
Effective: January 2021